Hi Leo, I've just submitted a patch to update PHP to version 7.1.7, which resolves the CVEs. Unfortunately PHP has 4 test errors on my machine (but also on the previous version), so I could not fully build it (disabling tests results in a working version of PHP). The relevant patch is at 27826. If someone could try building it, on x86_64 then we could be sure it's just my local environment that messes things up… Alex Leo Famulari writes: > Apparently our PHP package is vulnerable to CVE-2017-11144, > CVE-2017-11145, and CVE-2017-11362: > > https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-11144 > https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-11145 > > This one looks especially bad: > > https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-11362 > > Can someone please take a look at this?